From Kromonos, 5 Months ago, written in nginx.
Embed
  1. upstream vault {
  2.     server 192.168.8.3:5443;
  3. }
  4.  
  5.     listen 80;
  6.     listen [::]:80;
  7.     server_name vault.example.com;
  8.     include /etc/nginx/letsencrypt.conf;
  9.  
  10.     return 301 https://vault.example.com$request_uri;
  11. }
  12.  
  13.     listen 443 ssl http2;
  14.     listen [::]:443 ssl http2;
  15.     server_name vault.example.com;
  16.  
  17.     ssl on;
  18.     ssl_certificate /etc/letsencrypt/live/vault.example.com/fullchain.pem;
  19.     ssl_certificate_key /etc/letsencrypt/live/vault.example.com/privkey.pem;
  20.     ssl_session_cache shared:SSL:50m;
  21.     ssl_session_tickets off;
  22.  
  23.     ssl_protocols TLSv1.2 TLSv1.3;
  24.     ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384;
  25.  
  26.     ssl_stapling on;
  27.     ssl_stapling_verify on;
  28.     ssl_dhparam /etc/letsencrypt/dhparams_4096.pem;
  29.  
  30.     ssl_trusted_certificate /etc/letsencrypt/live/vault.example.com/chain.pem;
  31.     resolver 84.200.69.80 84.200.70.40 [2001:1608:10:25::1c04:b12f] [2001:1608:10:25::9249:d69b] valid=300s;
  32.  
  33.     ssl_ecdh_curve secp384r1;
  34.  
  35.     access_log off;
  36.  
  37.     add_header Strict-Transport-Security max-age=15768000;
  38.     add_header Referrer-Policy same-origin;
  39.     add_header X-Content-Type-Options nosniff;
  40.     add_header X-XSS-Protection "1; mode=block";
  41.  
  42.     include error.pages.conf;
  43.  
  44.     server_tokens off;
  45.     large_client_header_buffers 4 32k;    # This is an important part for the api!
  46.  
  47.     location / {
  48.         proxy_pass https://vault;
  49.  
  50.         proxy_redirect off;
  51.         proxy_set_header Host $http_host;
  52.         proxy_set_header X-Real-IP $remote_addr;
  53.         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
  54.         proxy_set_header X-Forwarded-Proto $scheme;
  55.         proxy_set_header X-Forwarded-Protocol $scheme;
  56.         proxy_set_header X-Url-Scheme $scheme;
  57.         add_header Strict-Transport-Security max-age=15768000;
  58.     }
  59.  
  60. }
  61.